matching number. Note You can also run this command in reverse: give it a numerical MIB and it will spell out the whole named MIB. Setting Up Snmpd Before you can use SNMP to monitor your system, you need to set up the snmp daemon. Rather than installing a default configuration file, the net-snmp port installs a default configuration file in /usr/local/share/examples/ucd-snmp/ EXAMPLE.conf. In addition to having default communities of public and “private”, this default configuration includes a variety of possible security holes. Fortunately, net-snmp includes a program to create an SNMP daemon configuration file, snmpconf(1). To use snmpconf to create a standard configuration for your system, run this command: ………………………………………………………………………………………. # snmpconf -i -g basic_setup ………………………………………………………………………………………. This command will take you through a basic snmpd configuration, which will install the file in the proper place. (Since we’ll be using snmpconf only once, we won’t go over each part of this command.) The configuration is fairly straightforward, but we’ll walk through it to be sure you’ve set everything properly. (While this program lets you set all sorts of advanced stuff, we’ll only configure what we need in order to perform basic monitoring.) Snmpconf will ask many “yes” or “no” questions. You should first see something like this: ………………………………………………………………………………………. ************************************************ *** Beginning basic system information setup *** ************************************************ Do you want to configure the information returned in the system MIB group (contact info, etc)? (default = y): ………………………………………………………………………………………. You do want to provide some basic system information, so type y. ………………………………………………………………………………………. Configuring: syslocation Description: The [typically physical] location of the system. arguments: location_string The location of the system: ………………………………………………………………………………………. Enter a system location here, like “server room” or “server room A-30″, or whatever works. This designation can be helpful if you have multiple servers in multiple locations, but if you have only one server it’s almost moot. But beware: Whatever you enter will show up in monitoring software, so be sure to not put anything offensive or irrelevant here. 437
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
without bothering to log on to the NT system? Try this: ………………………………………………………………………………………. # snmpwalk windowsserver public .1.3.6.1.4.1.311.1.1.3.1.1.1.1.0 enterprises.311.1.1.3.1.1.1.1.0 = 154447872 # ………………………………………………………………………………………. It can be much simpler to use specific queries like this than it would be to log into a system to run top; and these queries work on any system with SNMP tools. Later, we’ll automatically query servers by MIB and use the results to generate our pretty graphs of server status. Commercial solutions for checking SNMP servers run to hundreds or thousands of dollars. Using these free SNMP tools is an excellent way to begin using FreeBSD on any network. Translating Between Numbers and Names So you want to know how to translate between the numbers and the words? And you wonder what MIBs are available on your system and perhaps even what they mean? Well, that’s not entirely unreasonable. The net-snmp port includes the translation tool snmptranslate(1). First, choose a MIB that you want to translate. You have the output of an snmpwalk run on your system saved, right? Well, let’s pluck a bit of output from it and see what we have. I’ll pick the following line from my local system: ………………………………………………………………………………………. enterprises.ucdavis.memory.memAvailSwap.0 = 204672 ………………………………………………………………………………………. This looks important, doesn’t it? Available swap would be handy to know. To begin with, you need to know that snmpwalk gives only the last section of the MIB. You have to know that the enterprises tree is always prefaced by .1.3.6.1.4. (This is common knowledge in the SNMP world.) Now, armed with that esoteric knowledge, give this full MIB, and the -Td switch, to snmptranslate: ………………………………………………………………………………………. # snmptranslate -Td .1.3.6.1.4.enterprises.ucdavis.memory.memAvailSwap.0 .1.3.6.1.4.1.2021.4.4.0 memAvailSwap OBJECT-TYPE — FROM UCD-SNMP-MIB SYNTAX INTEGER MAX-ACCESS read-only STATUS current DESCRIPTION “Available Swap Space on the host.” ::= { iso(1) org(3) dod(6) internet(1) private(4) enterprises(1) ucdavis(2021) memory(4) memAvailSwap(# ………………………………………………………………………………………. This gives you a heap of useful information about the MIB, including its numerical equivalent (.1.3.6.1.4.1.2021.4.4.0) and its description (”Available Swap Space on the host.”). Note the numerical MIB; we’ll need it soon. The last tidbit is the name of each part of the MIB and its 436
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services
the name change. You’ll see references to both net-snmp and ucd-snmp. When you install net-snmp from ports, the build process will ask you several different questions. Go ahead and accept the defaults; you can override them later with the configuration file we’ll create. The net-snmp port includes an SNMP client, an SNMP server, and a translation tool. We’ll consider each in turn. Snmpwalk The net-snmp port includes a generic tool, snmpwalk(1), that you can use to examine the SNMP tree on other hosts. Snmpwalk works well on any sort of server: I use my FreeBSD system to snmpwalk Cisco routers, assorted switches, other BSD machines, and even Windows-based systems. To use snmpwalk, give it the name of the host you want to check and the SNMP community name: ………………………………………………………………………………………. # snmpwalk hostname community ………………………………………………………………………………………. Try snmpwalk on a system running an SNMP daemon, using the default community of “public”: ………………………………………………………………………………………. # snmpwalk hostname public > snmpwalk.out # ………………………………………………………………………………………. The snmpwalk command generates a lot of output, so in this example we’ve redirected it to a file. Look at the output. You may be surprised at the amount of information a system offers via SNMP. Specific Snmpwalk Queries You can also make very specific queries via SNMP simply by specifying the portion of the tree you’re interested in. For example, suppose you want to know the value of the MIB .1.3.6.1.4.1.2021.11.9.0. (This is the percentage of CPU time spent on user programs when running the net-snmp server. The next section tells us how to get that information.) You can add this MIB to the end of your snmpwalk query to just ask about that MIB. ………………………………………………………………………………………. #snmpwalk localhost public .1.3.6.1.4.1.2021.11.9.0 enterprises.ucdavis.systemStats.ssCpuUser.0 = 1 # ………………………………………………………………………………………. This tells me that 1 percent of my system CPU time is being spent running user programs. Nifty, eh? You can use snmpwalk to get information from any device that speaks SNMP. For example, the Windows NT documentation tells us that the MIB 1.3.6.1.4.1.311.1.1.3.1.1.1.1 represents available memory. How about using snmpwalk from your FreeBSD system to check this value 435
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services
system, this first category would not even exist. The ifTable is the interface table, or a list of all the interfaces on the system. ifEntry shows one particular interface, and ifOutErrors means that we’re looking at the outbound errors on this particular interface. Finally, the trailing 1 means that we’re interested in interface number 1. MIBs can also be expressed as numbers, and most SNMP tools prefer numerical MIBs. Unfortunately (or not) our feeble brains prefer words, but your poor brain must be capable[3] of working with either. (We’ll learn exactly how to do this translation with a particular piece of software in the section “Translating Between Numbers and Names”; for now, just trust me.) The preceding example can be translated to this: ………………………………………………………………………………………. .1.3.6.1.2.1.2.2.1.20.1 ………………………………………………………………………………………. Expressed as words, the MIB has five terms separated by periods. Expressed as numbers, the MIB has 11. That doesn’t look right if they’re supposed to be the same. What gives? The numerical MIB is longer because it includes the default .1.3.6.1.2.1, which means .iso.org.dod.internet.mgmt.mib-2. This is the standard subset of MIBs used on the Internet (SNMP could also be used to manage non-Internet devices). Almost every MIB you encounter will have this leading string, which is why almost nobody bothers writing it down anymore. If you’re in one of those kinky moods, you can even mix words and numbers: ………………………………………………………………………………………. .1.org.6.1.mgmt.1.interfaces.ifTable.1.ifOutErrors.1 ………………………………………………………………………………………. These MIBs look useful, but how do you find out what each one means? SNMP MIBs can vary from device to device and with the server used. Check the documentation for your SNMP agent, or your device, to see which MIBs are available. When you make an SNMP query, you’ll use the MIB to extract exactly the information you want. Since most networked devices shouldn’t give out information to just anyone, let’s look at how SNMP provides basic security with communities. Net-snmp Net-snmp (http://net-snmp.sourceforge.net/) is the best set of SNMP programs that runs on FreeBSD. It’s small, extensible, and efficient, and it’s included as a FreeBSD port (/usr/ports/net/net-snmp4). This is a popular package, and the port is generally quite up to date because the net-snmp folks are actively interested in FreeBSD and are quite responsive to useful problem reports, requests for help, or (better still) patches. Note Just to make things slightly difficult, net-snmp was previously called ucd-snmp. The University of California at Davis is no longer quite so involved in the project, hence 434
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services
[2]Don’t blindly follow this example, or I’ll look for anything interesting in your logs and post it in some prominent public location. Do not log to someone else’s logging host! Reporting with SNMP The report emails are good, but they’re very general, and logs are difficult to read for long-term trends. To learn more about how your server is doing, either now or in the long term, use the Simple Network Management Protocol (SNMP) reporting tool. SNMP is an industry-standard way to gather information from hosts across a network. Many different vendors support SNMP, and you can use the techniques we discuss here to monitor any SNMP-speaking device. You can use free tools to tell SNMP to generate nice, pretty pictures of how well your system is working. To use those tools effectively, however, you must have some basic understanding of what SNMP is and how it works. Once you understand that, we’ll consider the most popular set of SNMP tools for FreeBSD. Basics of SNMP SNMP works on a standard client/server model. The SNMP client, or agent, sends a request across the network to an SNMP server running on a computer. The SNMP server, snmpd, then gathers information from the local system and returns it to the client. An SNMP agent can also send a request to make changes to the SNMP server. If your system is properly (or improperly, depending on your point of view) configured, you can issue commands via SNMP. This “write” configuration is most commonly used in routers, switches, and other network devices. UNIX has its own configuration system, and doesn’t usually let you issue instructions via SNMP. (Some daemons might allow you to configure them via SNMP, and you can write shell scripts to be called by setting an SNMP value, but those are special cases.) For our purposes, we don’t want to be able to write configurations at all. Writing system configurations or instructions via SNMP requires careful setup and raises all sorts of security issues; it’s an excellent topic for an entire book. MIBs SNMP manages its information via a Management Information Base, or MIB. (We saw an example of a MIB tree in Chapter 4, when discussing sysctls.) Each SNMP server has a list of information it can extract from the local computer. The server arranges these bits of information into a hierarchical system, or Management Information Base tree. Each SNMP MIB tree has a very general main category, network, physical system, programs, and so on, with more specific subdivisions. Think of these trees as well-organized directories, where subdirectories contain more specific information. Similarly, the uppermost MIB contains a variety of MIBs beneath it. MIBs are referred to by name or by number. For example, here’s a MIB pulled off a sample system: ………………………………………………………………………………………. interfaces.ifTable.ifEntry.ifOutErrors.1 ………………………………………………………………………………………. The first term in this MIB, interfaces, shows us that we’re looking at the network interfaces on the system (network cards, parallel ports, and so on). If there were no interfaces on this particular 433
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
condition (meaning you want to rotate every day, no matter how large the file gets), use an asterisk (*) in the other field. Flags Now that you know how to express the exact time that you want your log to run, we encounter the flags field (Z in our example), which offers two options for handling your log files. Some programs log their data in plain text, while others use a binary format; each sort of log needs to be treated differently. Binary files can only be written to in a very specific manner. Newsyslog starts each new log file with a “log-file turned over” message, but adding this to a binary file will damage it. The B flag tells newsyslog that this is a binary file, and that the message should not be written. On the other hand, many log files are plain ASCII text, and compressing them can save a huge amount of space. The Z flag tells newsyslog to compress the rotated log files with gzip. You can use only one of these flags; after all, compressing binaries doesn’t save much room, and only text logs can use a “turned over” message. Pidfile Path The next field is the pidfile path (not shown in our example). A pidfile is a simple way to record a program’s process ID (PID) so that other programs can easily view it. Not all programs have pidfiles; the ones that do store their pidfiles under /var//un (take a look and see what’s on your system). If you list the full path to a pidfile in /var/run, newsyslog will send a kill-style signal to that program when it rotates the log. For example, the Apache Web server needs to be notified when you rotate its logs. By listing its pidfile here, you can have newsyslog send a kill to Apache so it will handle its part of log-file rotation. Most programs will handle log-file rotation on a kill , or SIGHUP, but some programs need a specific signal when a log file is rotated. If you have one of these programs, you can list its exact signal number in the last field. Example newsyslog.conf Entry Let’s slap this all together in a worst-case, you-have-got-to-be-kidding example. Assume you have a database log file that you want to rotate at 11 PM on the last day of every month. The database documentation says that you need to send the program an interrupt signal (SIGINT, or signal number 2) upon rotation. You want the archived logs to be owned by the user dbadmin, and only viewable by that user, and you need six months of logs. What’s more, the logs are binary files. Your newsyslog.conf line would look like this: ………………………………………………………………………………………. /var/log/database dbadmin: 600 6 * $MLH23 B /var/run/db.pid 2 ………………………………………………………………………………………. This is an extreme example; in most cases, you just slap in the filename and rotation condition and you’re done. But I thought I’d make you twitch. 432
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
ISO8601 Time Format Any entry beginning with an at symbol (@) is in ISO 8601 restricted time format. This is a standard used by newsyslog on most UNIX systems, and was the time format originally used in MIT’s primordial newsyslog program. Unfortunately, this standard is not at all clear, but since it’s a standard, FreeBSD supports it. A full date in ISO 8601 format is 16 digits with a T in the middle. The first four digits are the year; the next two are the month; the next two are the date. The T is inserted after the date as a sort of decimal point, separating whole days from fractions of one. An ISO 8601 date must include the T. The next two digits are hours; the next two are minutes; the next two are seconds. For example, the date and time February 2, 2002, 9:15 and 8 seconds PM is expressed in ISO 8601 as ………………………………………………………………………………………. 20020202T211508 ………………………………………………………………………………………. While complete dates in ISO 8601 are mostly straightforward, confusion arises when you don’t list the entire date. For example, you can choose to specify only fields near the T, leaving fields farther away blank, which will be read as wildcards. For example, T23 matches the twenty-third hour of every day of the year. With a newsyslog time of @T23, the log rotates every day at 11 PM, and 4T00 matches midnight of the fourth day of every month. As with crontab, you must specify hours. A date like @7T will run once an hour, every hour, on the seventh of the month. After all, it matches all day long! This can be useful for debugging, but isn’t generally desirable. FreeBSD-Specific Time One problem with the ISO 8601 time system is that it doesn’t allow you to easily designate weekly jobs (it’s not uncommon to want to rotate a log on Mondays, for example), and it’s impossible to specify the last day of the month. That’s where the final time format comes in. Any time with a leading dollar sign ($) is written in the FreeBSD-specific month-week-day format. This format works much like cron, allowing you to set particular days of the week to run a job on, and uses three identifiers: M (day of month), W (day of week), and H (hour of day). Each identifier is followed by a number indicating the particular time it should be run. Hours range from 0 to 23, while weekdays range from 0 (Sunday) to 6 (Saturday). M starts with 1, and goes up to the number of days in that particular month. For example, to rotate a log every Sunday at 8 AM you could use a time of $W0H8. To rotate the log on the fifth of each month at noon, you could use $M5H12. One interesting feature of this system is that it lets you automatically schedule a job for the last day of the month by using L to represent the last day of the month. Without this, it’s very difficult to do an end-of-month job without writing a script that knows how many days are in each month, compares the current date to the scheduled date, and decides if it will start the program. (That gets ugly quickly.) For example, to start your month-end log-file accounting two hours before the end of the month, use a time of $MLH22. Note You can rotate logs at a given time, or when they reach a certain size, or both. If you use both, the log will rotate whenever either condition is met. If you’re only rotating on one 431
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Linux Web Hosting services
You can choose to only change the owner, or only change the group. In these cases you must use a colon, even though nothing appears on the other side of it. For example, :www will change the group to www, while user827: will change the owner to user827. Permissions The third field (640 in our example) is the permissions mode, in standard UNIX three-digit notation. (See Chapter 7 for details.) Count Next is the count field (having a value of 3 in our example), which represents the number of old log files that newsyslog will keep kind of. Newsyslog starts counting archived log files at 0. Many computer systems start numbering at 0, but newsyslog includes 0 as well as the count number. With the default count setting of 5 for /var/log/messages, /var/log includes the following files: ………………………………………………………………………………………. messages messages.0.gz messages.1.gz messages.2.gz messages.3.gz messages.4.gz messages.5.gz ………………………………………………………………………………………. Those of you who can count will recognize that this is six backups, not five, plus the current log file! While, as a rule, it’s better to have too many logs than not enough, if you’re tight on disk space, deleting an extra log file or two might buy you some time. Some Web servers can have hundreds of sites on a single server; removing one or two files times 100 sites can create a lot of disk space. Size The fifth field (100 in our example) is the file size. When newsyslog runs, it compares the size listed here with the size of the file. If the file is larger than the given size in kilobytes, it is rotated. If the file size doesn’t affect when you want it rotated, put an asterisk (*) here. Time So far, this seems easy, right? Well, the sixth field, time (* in our example), can make new administrators cry. The time field has four possible values: an asterisk (*), a number, and two different date formats. If you don’t want to rotate a log at a particular time, put an asterisk (*) here. If you use a plain naked number, newsyslog rotates the log after that many hours have passed. For example, if you want a log to rotate every 24 hours, but don’t care exactly when this rotation happens, put 24 here. The date formats are a little more complicated. 430
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Unix Web Hosting services
Sending Log Messages to Programs Finally, to have another program handle the logs, use a pipe symbol (|) to redirect the messages to that program: ………………………………………………………………………………………. mail.* |/usr/local/bin/mailstats.pl ………………………………………………………………………………………. Note Traditionally, UNIX demands tabs between the columns in /etc/syslog.conf, but FreeBSD permits you to use spaces. Be sure to use tabs only if you share one syslog.conf between different UNIXes. Rotating Logs with Newsyslog.conf Log files grow and you must control their growth. The standard way to do so is with log rotation. When using log rotation, the oldest logs are deleted, each old log is renamed to the next oldest name, the current log is moved, and a new log file is created. FreeBSD includes a basic log-file handler, newsyslog(8), which will also compress files, restart daemons, and in general handle all the routine tasks of shuffling files. Cron runs newsyslog once an hour. Newsyslog reads /etc/newsyslog.conf and checks each log file listed there. If the conditions listed for rotating the log file are met, the log is rotated and other actions are taken as appropriate. The /etc/newsyslog.conf file uses one line per log file, and each line has seven fields. For example: ………………………………………………………………………………………. /var/log/slip.log root:network 640 3 100 * Z ………………………………………………………………………………………. We’ll examine each field in turn. Log File Path The first entry on each line is the full path to the log file to be processed (/var/log/slip.log in our example). Owner and Group The second entry (root:network in our example) lists the rotated file’s owner and group, separated by a colon (such as root:wheel). This field is optional, and is not present in many of the standard entries. Newsyslog can change the owner and group of old log files. By default, log files are owned by root and are in the wheel group. While it’s not common to change the owner, you might have to use this ability on multi-user machines. 429
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services
Logging by Program Name If you’re out of facilities, or if your program simply doesn’t support syslogd, you can use the program’s name to handle logging. An entry for a name requires at least two lines: the program name with a leading exclamation point and then a line with the logging information. For example, to log ppp, you could do this: ………………………………………………………………………………………. !ppp *.* /var/log/ppp.log ………………………………………………………………………………………. This entry first specifies the program name, and then uses wildcards to tell syslogd to append absolutely everything to a file. (You can’t be certain that a random third-party program will have reasonable log levels available, so it’s safest to record everything until you know otherwise.) Logging Host My networks habitually have a single logging host that handles not only the FreeBSD boxes, but also Cisco routers, 3Com switches, every other UNIX box, and any other syslogd-speaking systems. Since you have only one host whose logs need handling, this saves a lot of maintenance. Use the at symbol (@) to can send log messages to another host. For example, the following line would dump everything your syslogd receives to the logging host on my network:[2] ………………………………………………………………………………………. *.* @loghost.absolutebsd.com ………………………………………………………………………………………. The /etc/syslog.conf on the log host determines the final destination for the messages it receives. Fortunately, each log message includes the hostname. Logging to User Sessions To log user sessions, list usernames separated by commas. Then, if those users are logged in when the log message arrives, the system will write the message on their terminal. To write the messages to all users’ terminals, use an asterisk (*) for the destination. For example, the default syslog.conf includes this line: ………………………………………………………………………………………. *.emerg * ………………………………………………………………………………………. This says that any message of emergency level will appear on all users terminals. 428
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Linux Web Hosting services